Virginia’s Consumer Data Protection Act (CDPA) was signed into law on March 2 and will become effective as of January 1, 2023. It aims to regulate the processing and sale of Virginians’ personal data by borrowing some aspects from Europe’s General Data Protection Regulation (GDPR) and some from the California Consumer Privacy Act (CCPA).
As a result of this law, VA residents will have increased rights over their data, including:
- Right of Access – data subjects may request a copy of their personal data held by businesses
- Right to Rectification – data subjects may request that businesses correct inaccuracies in their personal data
- Right to Erasure – data subjects may request that businesses delete all copies of their personal data
- Right to Opt-Out – data subjects may stop businesses from doing further processing of their personal data for targeted advertising, sales of personal data, or profiling
- Right to Data Portability – data subjects may request a copy of their personal data in a format they can reuse for their own purpose
Who will the CPDA apply to?
The CPDA will apply to some businesses that process the personal data of VA residents, depending on the scale of their operations and how much revenue is generated from the sale of personal data.
Carveouts are in place for organizations and data already subject to existing federal data protection regulations such as the Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), and Family Educational Rights and Privacy Act (FERPA). Processing of personal data for employment reasons is also exempt from this law.
What do I have to do?
If you are an in-scope business, you’ll need to be compliant with CDPA by January 1, 2023, or risk civil penalties of up to $7,500 per violation. The requirements of the CDPA are broad.
- Privacy Notice – businesses will need to provide notice to VA data subjects on what categories of personal information will be collected and the purpose of the processing
- Data Subject Access Requests (DSARs) – businesses will need a mechanism by which to receive and respond to DSARs
- Data Protection Assessments – controllers will need to conduct and document data protection assessments for processing activities such as targeted advertising, sales of personal data, profiling, processing of sensitive personal data, among others
- Consent to process sensitive personal data – businesses must obtain consent from data subjects before processing sensitive personal data. This includes racial or ethnic origin, health information, sexual orientation, citizenship/immigration status, genetic data, biometric data, children’s data, or precise geolocation data
- Data protection principles – businesses should also be able to demonstrate how they abide by data protection principles such as data minimization, purpose limitation, and data security
What if I’m already GDPR/CCPA-compliant?
That’s great! You’ll have less work to do before January 1, 2023, but there are still requirements that differ to the GDPR and CCPA.
For example, the data breach notification procedures in your GDPR Technical and Organizational Measures will likely need to be updated to address the new reporting requirements for CDPA. Your DSAR response process will now need to support requests from VA residents.
The CDPA adds to an already crowded data protection regulation landscape in the US.
As we see more and more state-specific data privacy laws, so increases the pressure for a comprehensive federal regulation. A congressional bill for the Information Transparency and Personal Data Control Act was reintroduced on March 10 and brings hope that it will help ease the burden on businesses to manage compliance across the US.